Home Malware Programs Trojans Trojan.Zefarch

Trojan.Zefarch

Posted: June 15, 2010

Trojan.zefarch is a Trojan threat that alters your online search results to redirect you to malicious websites or websites that offer affiliate rewards for traffic. The first Trojan.zefarch infections were seen several years ago, but Trojan.zefarch is still a threat to your PC's security. Although Trojan.zefarch itself will cause limited harm to your computer, websites that Trojan.zefarch may redirect you to are capable of causing more serious damage by abusing web browser security flaws. If you see strange search results after using a search engine and suspect that Trojan.zefarch is interfering with your browsing habits, conduct a full system scan in Safe Mode to remove Trojan.zefarch and similar threats from your computer.

The Statistical Roundup on Trojan.zefarch

Trojan.zefarch was first seen in 2009 but is still proliferating in limited numbers as of the time of this writing. Some security programs may detect Trojan.zefarch by variant names like Trojan.Zefarch!gen3, Trojan.Zefarch!gen4, Trojan.Zefarch!gen5 or Trojan.Zefarch!gen6. Trojan.zefarch has also been associated with the Hiloti Trojan which is often identified with the name Trojan:Win32/Hiloti.

The standard Trojan.zefarch file has been seen at a size of only 131.5 kilobytes, although different compression and packing techniques may alter the file size. Trojans like Trojan.zefarch usually are distributed by malicious scripts embedded in advertisements or harmful websites. Disabling JavaScript and Flash, updating your browser and using updated security software can protect you from Trojan.zefarch infections.

There are no visual cues or other readily-noticed signs of a Trojan.zefarch infection on your computer; other than observing the Trojan.zefarch's payload, you may not see any other problems with your computer. Trojan.zefarch files are randomly-named and stored in the Windows folder, but you won't see Trojan.zefarch memory processes. Trojan.zefarch hooks itself into the default Widows processes explorer.exe and iexplore.exe which lets Trojan.zefarch run automatically and invisibly.

The Trojan.zefarch Payload That Tilts Your Search Engines Askew

While Trojan.zefarch is active, it will attempt to modify HTML content that's on your web browser, particularly your search engine results. These alterations will redirect you to paid links or harmful websites that can attack your computer or attempt to steal your personal information.

Trojan.zefarch may also:

  • Add potentially harmful scripts to online content.
  • Create pop-ups or play audio files.
  • Download and launch files without your consent.
  • Track browser-related information, with an especial focus on search results and website traffic. Trojan.zefarch monitors website addresses with the following text:
    250000.co.uk
    alexa.
    alltheweb.com
    altavista.
    aol.
    asiaco.
    bbc.
    .bing.com
    .google.
    .live.
    .msn.
    .search123.
    .teoma.
    .wanadoo.
  • Last of all, Trojan.zefarch will attempt to infect the process MRT.exe, a process that's often associated with the Windows Malicious Software Removal Tool. If Trojan.zefarch is unable to infect this process, Trojan.zefarch may try to crash it instead.

    • Deleting Trojan.zefarch, like all Trojans, should be done with the help of an anti-malware or security program. Updating your threat database to the most recent version and running a full scan in Safe Mode will help insure that your software performs well enough to remove Trojan.zefarch.

    Aliases

    Hiloti.gen.c (McAfee)
    Mal/Hiloti-A (Sophos)
    Trojan:Win32/Hiloti.gen!D (Microsoft)

    File System Modifications

    • The following files were created in the system:
      # File Name
      1 %UserProfile%\Application Data\Mozilla\Firefox\Extensions\chrome.manifest
      2 %UserProfile%\Application Data\Mozilla\Firefox\Extensions\chrome\content\_cfg.js
      3 %UserProfile%\Application Data\Mozilla\Firefox\Extensions\chrome\content\c.js
      4 %UserProfile%\Application Data\Mozilla\Firefox\Extensions\chrome\content\overlay.xul
      5 %UserProfile%\Application Data\Mozilla\Firefox\Extensions\install.rdf
      6 %Windir%\[RANDOM CHARACTERS].dll

    Registry Modifications

    • The following newly produced Registry Values are:
      HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[RANDOM CLSID]\"(Default)" = "%Windir%\[RANDOM CHARACTERS].dll"HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\sample@example.netHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[RANDOM CLSID]\"(Default)" = "%Windir%\[RANDOM CHARACTERS].dll"

    One Comment

    • Aaron says:
      August 6, 2010 at 7:09 pm

      I've had Trojan.Zefarch!gen on my system for a while now and have had many compromises in my variuos accounts because of it. I've tried doing everything from multiple AV softwares to editing the registry, but it's like a ghost. I constantly see it popping up in my realtime system scans, but I can't quarantine it for some reason. It's infected svcnvdn.dll, which I think is a critical system file as I can't do anything with it. McAfee isn't detecting anything in that file, but Norton is. Neither can quarantine or fix the file and I can't do a hard drive wipe because I lost my installation disks. Can anyone offer any help? I'm sick of losing everything I have because of this.

    Loading...